Montreal comp sci student reports massive bug, is expelled and threatened with arrest for checking to see if it had been fixed

Ahmed Al-Khabaz was a 20-year-old computer science student at Dawson College in Montreal, until he discovered a big, glaring bug in Omnivox, software widely used by Quebec's junior college system. The bug exposed the personal information (social insurance number, home address, class schedule) of its users. When Al-Khabaz reported the bug to François Paradis, his college's Director of Information Services and Technology, he was congratulated. But when he checked a few days later to see if the bug had been fixed, he was threatened with arrest and made to sign a secret gag-order whose existence he wasn't allowed to disclose. Then, he was expelled:

“I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”

Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”

The thing that gets me, as a member of a computer science faculty, is how gutless his instructors were in their treatment of this promising student. They're sending a clear signal that you're better off publicly disclosing bugs without talking to faculty or IT than going through channels, because "responsible disclosure" means that bugs go unpatched, students go unprotected, and your own teachers will never, ever have your back.

Because if you’re going to be doing something like that, you could easily be confused with someone doing something malicious. If you’re going to run a diagnostic that can be used to identify vulnerabilities, and not do anything to prevent it from being traced back to you, you should probably at the very least notify the company/department.

I think it was an overreaction for him to be expelled, I’m just saying the headline is misleading.

It’s not naive to think “they don’t want me in their systems and expelled me for it. better get right up back in them now that I have even less permissions to access them after being denied, and even less permissions on top of that now that I’m expelled” ?

Sure, but I’m pretty sure it’s illegal to run vulnerability scanners on someone’s network without their permission. While it might be naive to assume that they fixed it, it’s probably more naive to assume that they won’t throw the book at you for trying to break their security. Bureaucracy may not be efficient, but that doesn’t mean its not litigative.

You, sir, either have no idea what you’re talking about, or ar an idiot. Omnivox is web-based, and I’ll bet lots of money that his “probing software” was something along the lines of typing in http://site/profile/studentid=123. If you can conceive of a rational world in which visiting that URL once is worthy of accolades then going back a few days later is worthy of jail time, then you have a loose grip on reality. If there is even a shred of truth to this article, then you are entirely blaming the victim for the outrageous actions of a cabal of spineless bullies.

“I’ll bet lots of money that his “probing software” was something along the lines of typing in http://site/profile/studentid=123. If you can conceive of a rational world in which visiting that URL once is worthy of accolades then going back a few days later is worthy of jail time, then you have a loose grip on reality”

That’s not a good reason to me. Yes, it can dumb…if you are a full grown up man. Are we forgeting that, first of all, young people do stupid things and that is exactly why we have different treatments for diffferent ages. He might be 20, but in some states in the US he can’t even drink.

We can’t throw away the process of becoming an adult and start arresting and ruining peoples lives that way. Otherwise, you’ll start building a society of risk-averse people, and THAT is dumb.

When a child is about to touch the stove do you take the time to rationally explain that stoves are hot and they should not pursue trying to touch it or do you act quickly to stop them even if it might make them cry?

Not to mention the school opting to protect an outside vendor who placed their entire student body at risk doesn’t seem like a grown up response.

This is absolutely fucking retarded. However… the moment he was threatened with jailtime and forced to sign a secret gag order, he should’ve told them to park their goddamn asses while he went and consulted a lawyer. (Affording a lawyer when you’re a 20-year-old student is an entirely separate challenge, granted.)

Now, I suppose that technically his access a second time could be considered evidence of malicious behaviour and he doesn’t have the law on his side to be confident that a judge would throw the assholes out of court, but never sign a gag order without talking to a lawyer. (I am not a lawyer and I am not qualified to give legal advice; this is my idea of ‘common sense’ and a safe bet. Your laws may allow you to be gagged without legal counsel.)

If this jurisdiction is like most, absence of “malicious intent” to do bad stuff after you gain access to protected computer information does not preclude you from guilt.

The typical statute criminalizes intentionally gaining access to or exceeding authorized access to a computer system, and thereby obtaining information from any protected computer. It’s the “breaking and entering” law of the internet age. Simply getting in the door and looking at stuff is illegal.We can debate if this is overly-broad but this is the law of most lands. As such, he broke it the 2nd if not the first time. Should he be prosecuted? Hell no. That is where prosecutorial discretion should kick in. Should this school have booted him? While I don’t think so on the facts we have, we don’t know all of the conversations that were had after he first notified. It’s hard to imagine facts that could come to light supporting his expulsion, but they may exist. He should be lauded and I hope some other school gives him a full ride scholarship.

FWIW, this jurisdiction operates under the Quebec version of the Napoleanic Code rather than the more regular Common Law basis. If McGill is on it, they should be able to pick him up without trouble. That said, completion of his year in CEGEP (~junior college in Quebec for residents first year at university) at Dawson would probably have to be waived.

Like I said, his actions are going to be, by default, considered evidence of malicious behaviour, because he’s performing (as a whitehat) an exploit against their systems. He does not have the law on his side, because of this.

But my non-expert, non-lawyerly advice is, if someone other than a member of law enforcement is threatening you with jailtime and forcing you to sign a gag order, you get a lawyer on the phone before you take one step forward. Unless you, yourself, are a lawyer licensed to practice in the area and so are likely to be more aware of your rights than the average layman, you should be going to one. If law enforcement is involved, that brings police procedure into the picture and it quickly gets a lot more complex and complicated, but he didn’t get that far.

“… if someone other than a member of law enforcement is threatening you with jailtime and forcing you to sign a gag order, you get a lawyer on the phone before you take one step forward.”
FIFY. Don’t talk to police.

Perhaps they were trying to teach him about the real world. I recall a story about an engineer at Cisco I believe that discovered a huge security flaw in their routers. When he first approched managment with it they gagged him, and then when he approched them years later as it still hadn’t been fixed they fired him. Thats the story I remember anyway, doesn’t sound so different…

Because corporations want everyone to think they have perfectly secure systems. They can threaten people to keep the news form getting out, so they do.

Paypal told the world the DDOS against them hurt nothing, and yet people were arrested around the globe and pursued wildly… Paypal claiming large losses to help the cases get better sentences.

Look at Sony. Hacked a multitude of times, pointing to Anonymous as evil super hackers… when the truth is they failed to follow basic security rules. They had known for a long time about the vulnerabilities which lead to the hack and didn’t care enough to fix it. The rest of their network fell around the globe because the cost of keeping the systems secure was higher than dealing with the fallout of a hack.

Now that this story has legs, I’m betting his troubles are over. Assuming he’s really a white hat, there are plenty of universities that would be convinced by the journalism to let this guy have a second crack at his degree, and plenty of companies that would love to hire him. All he needs to do is staple the most favorable version of the story to his resume.

Yeah, I’d love to think that… time will tell. Given all the other horror stories I’m hearing from Big Education, it’s at least equally plausible that college is broken and not in a position to repair itself. No real black hats here, just a bunch of insecure profs with imposter syndrome.

To me there is no debate when it comes to outing a flaw, do it publicly and anonymously. Contacting someone “in charge” seems to be to much of a burden in most cases. Then again no one forced you to be a white knight so deal with it and learn to flip burgers.

As this flaw directly affected him so he had a vested interest.
If a website was handing out your Social Security Number (or equivalent) to anyone who could diddle a web interface wouldn’t you want to make sure it was fixed?

Funny you should ask about that because there was a tax web site here in Australia which did that. The guy who found the problem reported the security hole to the relevant authorities and they called the police, charges were laid against him, etc.

Yet again we have ugly proof of the old saying about shooting the messenger. I wonder if authority figures have ever considered the possibility that people would be a little less cynical about authority if they would actually respond to the problem instead of punishing the person who alerted them to its existence because they feel embarrassed by the lapse.

Sadly, this sounds vaguely familiar. When I was in undergrad, I noticed that there were many personal details publicly visible in my University’s LDAP directory. The University had a front end for staff in LDAP, but not students.

So, I made a nice front-end for browsing the student directory. It was very useful for managing student society membership (and probably stalking, if you were into that kind of thing). It had a disclaimer, saying where the data was coming from, and I spread the word about it, assuming the IT department would eventually notice, and lock down the LDAP ACLs.

Eventually word reached the high echelons of the IT department, and they were very upset. Thankfully, I was lucky. All I had to do was take the front-end down, and write them a letter of apology to avoid them taking me to the University court. Of course, I sucked up, and thankfully that was the end of that. Naturally, they didn’t actually do anything about the leak and the private student details were still visible to anyone who knew where to look…

” you could easily be confused with someone doing something malicious.”

If he wanted to be naughty, he probably would not have reported said bug but simply exploited it quietly.

This is bureaucratic stupidity in its finest form. I will wager they had not even begun to look at fixing the actual problem but simply hoped that if they were nice to it, it would go away and not bother them.

The company he “hacked” has a contract for all of the schools, there is lots of money… one can see pressure from above as some players, not introduced in the story yet, protect their revenue streams that are kicked back to them.

It is ironic that those holding power positions on universities are becoming less and less qualified to understand the way technology works especially those who are supposed to teach the newer generations. I’d say screw you if I find a bug exposing my personal info and you try to cover it up and ignore it I would sue the hell out of you I’d even publish the fact to the students but not the method so they can sue the university too.

If you pay attention to the maxim, “Those who can, do. Those who can’t, teach” it’s not all that surprising.

University professors really don’t make all that great of a salary. If your school happens to have a contract with someone like IBM or Microsoft to help with product evaluation and feedback, you might get a bit of a stipend from the vendor, but it’s not exactly “common”.

edit: I found this posted on another website:
“the moral of the story is to keep bugs you find in proprietary software secret or, since trying to alert the creator to the issue can get you in trouble, sell the secret to someone who will use it

you have no obligation to help proprietary software work and if you do discover a flaw, exploiting it for personal profit is not any different, morally, than using the software to begin with

the reason he was threatened is because fear of lawsuits on the part of the proprietary software vendor. This is the nature of proprietary software, making perverse incentives for your behavior

he was incentivized to sell the information, acting morally with regards to an immoral system was his error. It was his duty to exploit it, not report it”

which was called “post of the week” by another poster. food for thought, but i’m tech retarded, myself.

He was running a vulnerability scanner after the fact, and it actively runs exploits. Just because you can do something, doesn’t mean you should do something.

He made a very serious mistake in testing it later. It is not your computer and not your software to be messing with. Furthermore it isn’t even the issue of him finding the bug, it is the issue of running the Acunetix software which is used to probe security holes automatically. This is like going up to a neighbor’s door with a set of master keys you found and trying each key in the door til it opens, and then yelling to your neighbor, HEY YOUR DOOR IS OPEN.

What I am saying is there 2 issues here, issue 1 a bug is found that is serious. Issue 2 the student ran a vulnerability scanner INSTEAD of just solely testing for his own bug, so it was huge and noticable. He shouldn’t have tested his bug on computers that weren’t his.

Furthermore, he should be forgiven, he is just young and naive and did not have the scruples to go about how one should safely disclose this kind of issue.

This is an incredible overreaction on the part of the college and the company. They have turned a relatively boring software bug in nation-wide news due to their overly zealous behaviour. They should have known better.

As an update, the company who wrote the software apparently is offering him a scholarship and a part time job in software security. The school faculty and administration may be idiots, but it sounds like the software company understands a bit more about how the setup is supposed to work than the school does.

Yes a corporation who cut corners decided what he did was a “cyber attack”.
This is spin to make the easily lead think he was an evil hacker stealing cookies.

Its not like the student used a homebrewed tool to attack their system.
I am much more curious how they saw him in the log and were able to call him seconds later. I’d like someone to review the rest of those logs and see how many times the system had been access via the flaw previously. Just because this student found this doesn’t mean he was the first… just the first to report it… maybe… NDA’s and such…